I was wondering what an authentication process would be like on a Websocket server.
I want to use the Javascript API for Websocket. But I would like to have a more restricted and controlled access to the applications that will have connection to this server. The problem is that since the Websocket is a layer apart from the application (that is, the Websocket does not have access to the application session), it "does not know" that the authenticated user is or is not authenticated on the other layer.
I would like to know what are the ways to restrict access to a Websocket.
For example: In an application where I notify the user of the status of their purchase, I want them to have access to this information in real time through the Websocket. But I need this to be "confirmed" as being the same one that is authenticated in my application.
Is there any technique or any specific recommendations regarding authentication on Websocket servers?
I thought about implementing some kind of token. Would it be a good fit?
Editing :
In a article I read on the internet about authentication in Websockets, I found an excerpt that, translated, reads as follows:
It is a common misconception that an authenticated user in the web hosting application is also authenticated in the socket stream. These are two completely different channels